Learn more about Nested Queries
Best Practices
- Use nested queries when tokens have a shared key, in this example "vulnerabilities.vulnerability".
vulnerabilities.vulnerability: (os: "windows" AND patchAvailable: "true")
- Consider the intent of your query. Here's some examples.
- Query 1: This will return Windows assets having patchable vulnerabilities. An asset is returned only when it matches both criteria.
vulnerabilities.vulnerability: (os: "windows" AND patchAvailable: "true")
- Query 2: This will return all Windows assets, and all patchable assets. An asset is returned when it matches only one criteria.
vulnerabilities.vulnerability.os: "windows" AND vulnerabilities.vulnerability.patchAvailable: "true"
- When your query is nested, enter the entire shared key first for best results. For example, Query 1 is preferred format for best results.
- Query 1: Entire shared key is "vulnerabilities.vulnerability" (preferred format)
vulnerabilities.vulnerability: (os: "windows" AND patchAvailable: "true")
- Query 2: Partial shared key is "vulnerabilities"
vulnerabilities: (vulnerability.os: "windows" AND vulnerability.patchAvailable: "true")
- Keep in mind a nested query (preferred format) will have shared key "vulnerabilities" in some cases.
- Query 1: This will return Windows assets with confirmed vulnerabilities
vulnerabilities: (vulnerability.os: "windows" AND typeDetected: "Confirmed")
- Query 2: This will return Windows assets having vulnerabilities first found in past 3 days
vulnerabilities: (vulnerability.os: "windows" AND firstFound > now-3d)
More examples
- Find assets with the tag "Cloud Agent" and certain software installed. This will return assets that have 1) the tag Cloud Agent, and 2) certain software installed (both name and version).
tags.name: `Cloud Agent` AND software: (name:`Cisco AnyConnect Secure Mobility Client` and version: `3.1.14018`)
- Find assets with vulnerabilities that match both criteria: last found on 2018-01-12 and have a patch available.
vulnerabilities: (lastFound: '2018-01-12' AND vulnerability.patchAvailable: "true")
- Find assets with vulnerabilities that match both criteria: first found in the past 10 days and have CVSS Base score 7.8.
vulnerabilities: (firstFound > now-10d AND vulnerability.cvssInfo.baseScore: 7.8)
- You can also find assets that match the vulnerabilities and assets criteria mentioned in Vulnerability and Asset fields:
Vulnerability: vulnerabilities.severity: 4
Asset: tags.name:Cloud Agent and vulnerabilities:(vulnerability.qid:91568)